11 September 2019

services dan svchost dalam windows

1- services adalah senarai services

2- svchost adalah process yg akan hostkan service. Ini berlaku jika service tersebut hanya ada dll file. (Bagi services yg ada exe file, tak perlukan svchost)


Contoh 1(Servis guna exe file)-----------------------

HKLM\SYSTEM\CurrentControlSet\Services\
-- ImagePath -> c:\dir\contoh.exe


Contoh 2 (Servis guna dll file)---------------------

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
-- NetworkService: DNSCache lanmanworkstation DHCP

(Dnscache)
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
-- ImagePath : %SystemRoot%\system32\svchost.exe -k NetworkService -p

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
-- ServiceDll : %SystemRoot%\system32\dnsrslvr.dll

(LanmanWorkstation)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
-- ImagePath : %SystemRoot%\system32\svchost.exe -k NetworkService -p

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
-- ServiceDll : %SystemRoot%\system32\wkssvc.dll

ref: https://web.archive.org/web/20150320155229/https://support.microsoft.com/en-us/kb/314056

04 September 2019

Mengenali disk image via mmls fsstat fls losetup

image: disk1.dd


1- mmls utk listkan partition dlm disk
2- dapatkan offset partition yg berkenaan
3- fsstat -o xxx akan listkan maklumat file system pada offset xxx
4- fls perlu guna -o xxx utk create body file partition tersebut.

5- loosetup boleh create /dev/loopX utk mudahkan akses partition tersebut. Namun perlukan maklumat offset dalam unit byte. (mmls papar maklumat berdasarkan sektor)
 Maka :  xxx * 512(byte persektor) utk dptkan offset.



1-
# mmls -t dos disk1.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

 Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000002047   0000002048   Unallocated
02:  00:00   0000002048   0000499711   0000497664   Linux (0x83)
03:  00:01   0000499712   0041940991   0041441280   Linux (0x83)
04:  -----   0041940992   0041943039   0000002048   Unallocated

3-
# fsstat -o 2048 disk1.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext3
Volume Name:
Volume ID: 2c71dce497ca7d83694ea172de905590

Last Written at: Tue Oct  5 11:06:10 2010
Last Checked at: Tue Oct  5 10:04:19 2010

Last Mounted at: Tue Oct  5 11:05:31 2010
Unmounted properly
Last mounted on: /boot
[...]

4-  fls -o 2048 -r -m C: disk1.dd


5- 
# expr 499712 \* 512
255852544
# losetup -f
/dev/loop0
# losetup -r -o 255852544 /dev/loop0 disk1.dd




Masalah mount windows share folder

semak senarai share folder windows dari linux

smbclient -L  -U  -d 256


ubuntu 16 default guna protokol smb 1

Manakala window tak support smb1, sebaliknya smb2.1 dan 3.

Maka tambah -m utk specify protokol

smbclient -L  -U  -d 256 -m smb2

Utk mount tambah vers=3 pada parameter -o

sudo mount -o vers=3.0,username=,uid=,gid=,forceuid,forcegid, //IP_Address/share_name /mnt/path/




03 March 2019

1) ftk imager ->  multiple raw file

2) affuse     ->   /mnt/fuse/multipleRawFile.001.raw

3) mmls  (utk cari partition offset)

4) losetup -> /dev/loop0   (guna partition offset)

5) file -s /dev/loop0    (check partition format)


For Timeline----
1) fls -r -m C:  /dev/loop0 > bodyfile.txt


For Mount
1) mount





ref:
1) https://forensicsferret.wordpress.com/2010/06/28/mounting-split-raw-and-encase-segmented-files-with-affuse/
2) https://digital-forensics.sans.org/blog/2010/09/15/dealing-split-raw-type-images

01 March 2019

command untuk eksploitasi

/usr/share/metasploit-framework/exploit/pattern_create.rb -l 5010
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q



First create folder: !mona config -set workingfolder c:\logs\%p
Command generate: !mona bytearray

!mona compare -f C:\ -a



!mona find -type instr -s "jmp esp" -b 0x6250800



msfvenom -a x86 --platform windows -p windows/messagebox TEXT="say hi" -f python -b "\x00" -v buf


Sebelum masuk kernel exploit

Kena tahu dulu

CFG
Memprotect
ASLR
KASLR
DEP
SEHOP